From Paul's Security Weekly
Hack Naked News #143
Recorded October 3, 2017 at G-Unit Studios in Rhode Island!
- ICANN Postpones Scheduled DNS Crypto Key Rollover - It seems the Internet is not ready for this: ICANN, the overseer of the Internet’s namespace, announced this week that it was postponing a scheduled change to the cryptographic key that protects the Domain Name System. ICANN said in a statement that the change was to occur on Oct. 11, but new data indicates that a “significant number” of resolvers used by ISPs and large network operators are not ready. ICANN hopes to reschedule the rollover to the first quarter of next year.
- Netgear Fixes 50 Vulnerabilities in Routers, Switches, NAS Devices - I found this interesting: most of the vulnerabilities and patches disclosed last week were reported via the company’s bug bounty program, launched in January in partnership with Bugcrowd. Since inception, the company has made several disclosures via the program, including a password bypass bug found in hundreds of thousands of Netgear routers reported earlier this year. It seems the bug bounty program has been successful. The latest wave of 50 vulnerabilites fixes some of the common flaws found in router firmware, including the very dangerous remote command injection. Researchers are quick to blame router and IoT vendors that, they claims, for years have put little effort into security, testing and hardening of products, but its clear the netgear bug bounty programs have increased the security of their products, however the difficult part is getting people to actually apply the patches.
- Duo Security Notes Concerns With Apple EFI - The Register reports: An analysis of 73,000 Apple Macs by Duo Security found that users are unknowingly exposed to sophisticated malware-based attacks because of outdated firmware. On average, 4.2 per cent of real-world 73,324 Macs used in the enterprise environments analysed are running an EFI firmware version that’s different from what they should be running, based on the hardware model, the OS version, and the EFI version released with that OS version. There are many reasons the EFI updates are lagging behind, including users and administrators not having a high degree of confidence in the updates, which has lead to them being ignored for some time. This leaves computers vulnerable to "Thunderstrike", an attack that uses a 35 year-old legacy option ROMs to replace the RSA keys in a Mac's extensible firmware interface (EFI) to allow malicious firmware to be installed and lock out attempts to remove it.
- The Internet Is Not Ready For DNS SEC
- FBI Allowed To Keep Secret Details Of iPhone Hacking Tool - Federal courts ruled in favor of the Justice Department, stating the risks of revealing the name of the vendor and the costs are just too risky. In her ruling, federal judge Tanya Chutkan said that naming the vendor and its cost would amount to putting a target on its back, and could lead to the loss of theft of the hacking tool. The suit was filed by various media outlets and No appeals will be allowed in this case.
- Java Security Plagued By Crappy Docs, Complex APIs - Don't rely on code from Stack Overflow, ironically enough: In a paper released on Thursday titled "Secure Coding Practices in Java: Challenges and Vulnerabilities" [PDF], five researchers analyzed Stack Overflow posts related to Java security. They found that many developers don't understand security well enough to implement it properly, that the overly complicated APIs in the Spring security framework and other libraries lead to frustration and errors, and that some popular Stack Overflow answers are unsafe and outdated. It would be interesting to launch a project to now comment on all of the posts and correct the insecurity. Any takers?
- Whole Foods Investigating Payment Card Data Breach - So, no need to really panic on this one: Grocery retailer Whole Foods Market announced on Sept. 28 that it was investigating a possible data breach, involving unauthorized access to payment card information. The potential breach is limited to table-service restaurants and taprooms within a limited number of Whole Foods stores and does not impact the company's primary checkout system used by in-store shoppers.
- Equifax Breach Impact Expands as Former CEO Admits Patching Failure - Wow, I believe we've talked about this sort of thing in the past: Smith noted that on March 9, an email was sent internally at Equifax directing those responsible for Struts within the organization to update the software. "Consistent with Equifax's patching policy, the Equifax security department required that patching occur within a 48 hour time period," Smith stated. "We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification to information technology personnel." Additionally, Smith noted that on March 15, Equifax's information security department rans scans that should have identified systems that were vulnerable to the Struts vulnerability. Those scans however did not detect the impacted systems that remained unpatched.
- Behind the Masq: Yet more DNS, and DHCP, vulnerabilities - A research team at Google has discovered several vulnerabilities in dnsmasq, the popular DNS and DHCP server commonly used in IoT devices. I found it interesting that Kubrenetes was patch, which likely fueled Google's interest in helping secure this open-source project. Google worked closely with the software maintainers to ensure patches were pushed. I fear many IoT devices and projects may lag on updates, and some devices may never update, leaving these vulnerabilities, including 3 remote code execution flaws, unpatched forever.You must be running version 2.78 of dnsmasq to be protected from these flaws.